Google's for-profit surveillance problem

"We know where you are. We know where you’ve been. We can more or less know what you’re thinking about."

"Your digital identity will live forever... because there’s no delete button."

—Eric Schmidt

Early last week, some of the biggest names in Silicon Valley announced that they had gotten together to form a new forward-thinking organization dedicated to promoting government surveillance reform in the name of "free expression" and "privacy."

The charade should have been laughed at and mocked — after all, these same companies feed on privacy for profit, and unfettered surveillance is their stock and trade. Instead, it was met with cheers and fanfare from reporters and privacy and tech experts alike. "Finally!" people cried, Silicon Valley has grown up and matured enough to help society tackle the biggest problem of our age: the runaway power of the modern surveillance state.

The Guardian described the tech companies' plan as "radical," and predicted it would "end many of the current programs through which governments spy on citizens at home and abroad." Laura W. Murphy, Director of ACLU's DC Legislative Office, published an impassioned blog post praising tech giants for urging President Barack Obama and Congress to enact comprehensive reform of government surveillance. Silicon Valley booster Jeff Jarvis could hardly contain his glee. "Bravo," he yelped. "The companies came down at last on the side of citizens over spies." And then added:

Spying is bad for the internet; what’s bad for the internet is bad for Silicon Valley; and — to reverse the old General Motors saw — what’s bad for Silicon Valley is bad for America.

But while leading tech and privacy experts like Jarvis slobber over Silicon Valley megacorps and praise their heroic stand against oppressive government surveillance, most still don't seem to mind that these same tech billionaires run vast private sector surveillance operations of their own: hi-tech spying operations that vacuum up private information and use it to compile detailed dossiers on hundreds of millions of people around the world — and that's on top of their work colluding and contracting with government intelligence agencies.

If you step back and look at the bigger picture, it's not hard to see that Silicon Valley runs on for-profit surveillance, and that it dwarfs anything being run by the NSA.

Last week, I wrote about Google's Street View program, and how after a series of investigations in the US and Europe, we learned that Google had used its Street View cars to carry out a covert — and certainly illegal — espionage operation on a global scale, siphoning loads of personally identifiable data from people’s Wi-Fi connections all across the world. Emails, medical records, love notes, passwords, the whole works — anything that wasn’t encrypted was fair game. It was all part of the original program design: Google had equipped its Street View cars with surveillance gear designed to intercept and vacuum up all the wireless network communication data that crossed their path. An FCC investigation showing that the company knowingly deployed Street View's surveillance program, and then had analyzed and integrated the data that it had intercepted.

Most disturbingly, when its Street View surveillance program was uncovered by regulators, Google pulled every crisis management trick in the book to confuse investors, dodge questions, avoid scrutiny, and prevent the public from finding out the truth. The company's behavior got so bad that the FCC fined it for obstruction of justice.

The investigation in Street View uncovered a dark side to Google. But as alarming as it was, Google's Street View wiretapping scheme was just a tiny experimental program compared to Google's bread and butter: a massive surveillance operation that intercepts and analyzes terabytes of global Internet traffic every day, and then uses that data to build and update complex psychological profiles on hundreds of millions of people all over the world — all of it in real time. You've heard about this program. You probably interact with it every day. You call it Gmail.

Google launched Gmail in 2004. It was the company's first major "log in" service and was aimed at poaching email users from Microsoft and Yahoo. To do that, Google offered one gigabyte of free storage space standard with every account. It was an insane amount of data at the time — at least several hundred times more space than what was being offered by Yahoo or Hotmail — and people signed up en masse. At one point, Gmail's limited pre-public release invites were so desirable that at one point they fetched over $150 on eBay.

To tech reporters, Gmail's free email service was nothing short of revolutionary. New York Times tech columnist David Pogue wrote: "One gigabyte changes everything. You no longer live in terror that somebody will send you a photo, thereby exceeding your two-megabyte limit and making all subsequent messages bounce back to their senders."

And what about the fact that Gmail scanned your email correspondence to deliver targeted ads? Well, what of it?

Gmail users handed over all their personal correspondence to Google, giving the company the right to scan, analyze, and retain in perpetuity their correspondence in return for a gigabyte of storage, which even at that early stage already cost Google only $2 per gigabyte per year.

Selling the contents of our private and business life to a for-profit corporation in return for half a Big Mac a year? What a steal!

You'd be hard pressed to find a bum who'd sell out to Google that cheap. But most mainstream tech journalists weren't that scrupulous, and lined up to boost Gmail to the public.

"The only population likely not to be delighted by Gmail are those still uncomfortable with those computer-generated ads. Those people are free to ignore or even bad-mouth Gmail, but they shouldn't try to stop Google from offering Gmail to the rest of us. We know a good thing when we see it," wrote Pogue in 2004.

But not everyone was as excited as Mr. Pogue.

Several privacy groups, including the Electronic Privacy Information Center, were alarmed by Gmail's vast potential for privacy abuse. In particular, EPIC was concerned that Google was not restricting its email scanning activities solely to its registered user base, but was intercepting and analyzing the private communication of anyone who emailed with a Gmail user:

"Gmail violates the privacy rights of non-subscribers. Non-subscribers who e-mail a Gmail user have 'content extraction' performed on their e-mail even though they have not consented to have their communications monitored, nor may they even be aware that their communications are being analyzed," EPIC explained at the time. The organization pointed out that this practice almost certainly violates California wiretapping statues — which expressly criminalizes the interception of electronic communication without consent of all parties involved.

What spooked EPIC even more: Google was not simply scanning people's emails for advertising keywords but had developed underlying technology to compile sophisticated dossiers of everyone who came through its email system. All communication was subject to deep linguistic analysis; conversations were parsed for keywords, meaning, and even tone; individuals were matched to real identities using contact information stored in a user's Gmail address book; attached documents were scraped for intel — that info was then cross-referenced with previous email interactions and combined with stuff gleaned from other Google services, as well as third-party sources...

Here's are some of the things that Google would use to construct its profiles, gleaned from twopatents company filed prior to launching its Gmail service:

To EPIC, Google's interception and use of such detailed personal information was clearly a violation of California law, and the organization called on California's Attorney General who promised to investigate Google's Gmail service. The Attorney General promised to look into the matter, but nothing much happened.

Meanwhile, Gmail's user base continued to rocket. As of this month, there are something like 425 million active users around the world using email services. Individuals, schools, universities, companies, government employees, non-profits — and it's not just Gmail anymore.

After its runaway success with Gmail, Google aggressively expanded its online presence, buying up smaller tech companies and deploying a staggering number of services and apps. In just a few years, Google had suddenly become ubiquitous, inserting themselves into almost every aspect of our lives: We search through Google, browse the Web through Google, write in Google, store our files in Google and use Google to drive and take public transport. Hell, even our mobile phones run on Google.

All these services might appear disparate and unconnected. To the uninitiated, Google's offering of free services — from email, to amazing mobile maps, to a powerful replacement for Microsoft Office — might seem like charity. Why give away this stuff for free? But to think that way is to miss the fundamental purpose that Google serves and why it can generate nearly $20 billion in profits a year.

The Google services and apps that we interact with on a daily basis aren't the company's main product: They are the harvesting machines that dig up and process the stuff that Google really sells: for-profit intelligence.

Google isn't a traditional Internet service company. It isn't even an advertising company. Google is a whole new type of beast: a global advertising-intelligence company that tries to funnel as much user activity in the real and online world through its services in order to track, analyze, and profile us: It tracks as much of our daily lives as possible — who we are, what we do, what we like, where we go, who we talk to, what we think about, what we're interested in. All those things are seized, packaged, commodified, and sold on the market — at this point, most of the business comes from matching the right ad to the right eyeballs. But who knows how the massive database Google's compiling on all of us will be used in the future?

No wonder that when Google first rolled out Gmail in 2004, cofounder Larry Page refused to rule out that the company would never combine people's search and browsing history with their Gmail account profiles: "It might be really useful for us to know that information. I'd hate to rule anything like that out." Indeed it was. Profitable, too.

It's been almost a decade since Google launched its Gmail service, but the fundamental questions about the legality of the company's surveillance operations first posed by EPIC have not been resolved.

Indeed, a class action lawsuit currently winding its way through California federal court system shows that we've not moved an inch.

The complaint — a consolidation of six separate class action lawsuits that had been filed against Google in California, Florida, Illinois, Maryland, and Pennsylvania — accuses Google of illegally intercepting, reading, and profiting off people’s private correspondence without compensation. The lawsuit directly challenges Google's legal right to indiscriminately vacuum up people's data without clear consent, and just might be the biggest threat Google has ever faced.

Here's how the New York Times described the case:

Wiretapping is typically the stuff of spy dramas and shady criminal escapades. But now, one of the world’s biggest Web companies, Google, must defend itself against accusations that it is illegally wiretapping in the course of its everyday business — gathering data about Internet users and showing them related ads.

…The Gmail case involves Google’s practice of automatically scanning e-mail messages and showing ads based on the contents of the e-mails. The plaintiffs include voluntary Gmail users, people who have to use Gmail as part of an educational institution and non-Gmail users whose messages were received by a Gmail user. They say the scanning of the messages violates state and federal antiwiretapping laws.
Google has aggressively fought the lawsuit. It first convinced a judge to put it under seal — which redacted most of the complaint and made it unavailable to public scrutiny — and then made a series of disingenuous arguments in an attempt to get the get the lawsuit preemptively dismissed. Google's attorneys didn't dispute its for-profit surveillance activities. What they claimed was that intercepting and analyzing electronic communication, and using that information to build sophisticated psychological profiles, was no different than scanning emails for viruses or spam. And then they made a stunning admission, arguing that, as far as Google saw it, people who used Internet services for communication had "no legitimate expectation of privacy" — and thus anyone who emailed with Gmail users had given "implied consent" for Google to intercept and analyze their email exchange.

No expectation of privacy? Implied consent for surveillance?

Google's claims were transparently disingenuous, and Judge Lucy Koh rejected them out of hand and allowed the lawsuit to proceed.

Unfortunately, it's difficult to comment on or analyze the contents of the class action lawsuit filed against Google, as the company redacted just about all of it. One thing is clear: the complaint goes beyond simple wiretapping and brings into question an even bigger concern: Who owns the digital personal information about our lives — our thoughts, ideas, interactions, personal secrets, preferences, desires and hopes? And can all these things be seized bit by bit, analyzed, packaged, commodified and then bought and sold on the market like any other good? Can Google do that? What rights do we have over our inner lives?

It's scary and crazy. Especially when you think of kids born today: Their entire lives will be digitally surveilled, recorded, analyzed, stored somewhere, and then passed around from company to company. What happens to that information?

What happens to all this data in the future should be of serious concern. Not only because, with the right warrant (or in many cases without) the data is available to law enforcement. But also because in the unregulated hands of Google, our aggregated psychological profiles are an extremely valuable asset that could be used for almost anything.

EPIC points out that Google reserves the right to "transfer all of the information, including any profiles created, if and when it is merged or sold." How do we know that information won’t end up in some private background check database that’ll be available to your boss? How do we know this information won't be hacked or stolen and won't fall into the hands of scammers and repressive dictators?

The answer is: We don't. And these tech companies would rather keep us in the dark and not caring.

Google's corporate leadership understands that increased privacy regulations could torpedo its entire business model and the company takes quite a lot of space on its SEC filing disclosing the dangers to its investors:

Privacy concerns relating to elements of our technology could damage our reputation and deter current and potential users from using our products and services...

We also face risks from legislation that could be passed in the future. For example, there is a risk that state legislatures will attempt to regulate the automated scanning of email messages in ways that interfere with our Gmail free advertising-supported web mail service. Any such legislation could make it more difficult for us to operate or could prohibit the aspects of our Gmail service that uses computers to match advertisements to the content of a user’s email message when email messages are viewed using the service. This could prevent us from implementing the Gmail service in any affected states and impair our ability to compete in the email services market…
Former Google CEO Eric Schmidt has not been shy about his company's views on Internet privacy: People don't have any, nor should they expect it. "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place," he infamously told CNBC in 2009. And he's right. Because true Internet privacy and real surveillance reform would be the end of Google.

And not just Google, but nearly every major consumer Silicon Valley company — all of them feed people's personal data one way or another and depend on for-profit surveillance for survival.

Which brings me to Silicon Valley's "Reform Government Surveillance" project.

The fact that the biggest, most data-hungry companies in Silicon Valley joined up in a cynical effort to shift attention away from their own for-profit surveillance operations and blame it all on big bad government is to be expected. What's surprising is just how many supposed journalists and so-called privacy advocates fell for it.